WallShadow wrote:you've used this on logout, but what else could this be used on? not the settings page thats for sure.

The settings page has what's called a CSRF token. that's a hidden field that has a bunch of random data in it that's also kept on the server. That stops CSRF from happening on pages like that. I would need to steal the token to change your settings.

Do not mistake understanding for realization, and do not mistake realization for liberation

WallShadow wrote:you've used this on logout, but what else could this be used on? not the settings page thats for sure.

The settings page has what's called a CSRF token. that's a hidden field that has a bunch of random data in it that's also kept on the server. That stops CSRF from happening on pages like that. I would need to steal the token to change your settings.

not only that, the submit method there is POST, so your fancy trick won't work there.

edit:

unless you perform this CSRF with a proper form and everything somehow hosted on this site (i'm fairly sure that it won't work cross domain)edit edit:scratch that, thats basically XSS already. point is, you can't pull of a POST from a CSRF as far as i know.